Latest Posts

Analysing CVE-2023-51467 - Apache OFBiz Authentication bypass to Remote Code Execution
This article aims to explore the details of CVE-2023-51467 and explain the process of constructing an exploit leading to Remote Code Execution.
Dive deep into Android Application Security - OWASP MSTG Uncrackable level 1 writeup
Uncrackable Apps for Android is a collection of mobile reversing challenges maintained by the OWASP MSTG (Mobile Security Testing Guide) authors. Cracking and solving these challenges is a fun way to learn Android security.
From 4 sources to 3 sinks in DOM XSS - DomGoat level 1-10 (all levels) writeup
DomGoat is a DOM Security learning platform written by Lava Kumar Kupan (from Ironwasp security) with different levels, each level targetting on different sources and sinks.
Analysis and Exploitation of Prototype Pollution attacks on NodeJs - Nullcon HackIM CTF web 500 writeup
Prototype Pollution attacks on NodeJs is a recent research by Olivier Arteau where he discovered how to exploit an application if we can pollute the prototype of a base object.
Exfiltrating remote localStorage data with XSS - Insomnihack teaser 2017 "The Great escape part 2" web 200 writeup
Exfiltrating data from remote browser localStorage using XSS (Insomnihack teaser 2017 web 200 writeup)
Exploiting internal tomcat server with SSRF - Insomnihack teaser 2017 Web 50 writeup
Exploiting internal tomcat server (with default credentials) using SSRF (Insomnihack teaser 2017 Web 50 writeup)
eLearnSecurity Practical Web Defense (eWDP) course review
Practical Web Defense is a unique course which focus on both attacking and *defending* web Applications unlike the traditional courses which focuses only on attacking applications.
Bypassing path restriction on whitelisted CDNs to circumvent CSP protections - SECT CTF Web 400 writeup
How can we bypass CSP using whitelisted CDNs and path traversal (SECT CTF 2016 web 400 writeup)